Re: Using 0days as part of pen-test?

[Oliver Schad <oliver.schad () oschad de>]

Am Donnerstag, 15. Januar 2009 schrieb mir David Howe:
> Oliver Schad wrote:
> > I mean, why should I choose as a tester a role of an attacker who
> > knows nothing about the network if there is somebody in this world
> > who could attack this network with all knowledge he needs?
>
>   Normally the framing of the attack model is part of the negotiation -
> you can start out by assuming the attacker will have a full network
> topology and all admin/root passwords, but you will probably find the
> network isn't really that secure, and the report will probably get
> slammed as being "unrealistic". However equally, you can't start out by
> assuming an attacker will know nothing - if an attacker could
> reasonably know something (a valid user/pass pair on the lan, for
> example) that needs to be set out in the contract before the pentest
> starts.

I think it's important to estimate or show the costs for a succesful 
attack. Which way you choose to do this don't matters. The costs is a 
value where a customer can work with.

Regards
Oli

Attachment: signature.asc
Description: This is a digitally signed message part.